[cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests?

Phillip philliph at comodo.com
Thu Mar 1 07:55:12 MST 2018


I don’t understand the reasoning.

 

If a cert is bad, it is bad and we need to revoke it. Period, end of story.

 

This looks like punishing resellers for behavior we want to encourage.

 

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of LeaderTelecom B.V. via Public
Sent: Thursday, March 1, 2018 8:06 AM
To: jeremy.rowley at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] [Ticket#2018022801003595] How do you handle mass revocation requests?

 

It will be great to have daily / monthly limit for revocation for each reseller. For example, daily limit 1% from all active certificates (minimum 10 pcs). Monthly limit can be 20% from all active certificates of partner (minimum 100 pcs, maximum: 1000 pcs.).

  

---

Kind regards,
Aleksei Ivanov


28/02/2018 22:34 - Jeremy Rowley via Public wrote: 

Here’s 10 CSRs that people can correlate with the CT logs. I’ll create another 100 or so to dispel any doubt.
 
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMamagziY67jAV1XWBT2UBudz8leqPeZ
nMGCP9Sct2qc5tDDLz34QIMFO9mv4eDRduMOTG7rwQygKPvI0mAKzKDJCxUvKLYJ
Th/IALgkHfSvv7UzXUxF2kxviuvTCoP0Oee3DUJl4V614R2BnEtEpjEC4WNZglIU
ytQiX36u4WQEbU1LGxp16+Rqz55TOnqRaUNlCCVjB99A3dvxYxpa+6qUHt2aeEyW
WBguBq4sDzOeeLCcnfiCywbDKD4YeqQxvn1EJGBrCQnOf5UdHidJB3ZKKngYWKaZ
48nYK2CqM1dq44vIH6EezGq+0Xs8EFJfi2mjDghfziiX1UtpUt2/vUcCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQA/HM907Hc/rV+olpHW8n1N0UkhfbVHjSegFhQZ
2Wn4jFKAargvOCGDChThcnUbquptKpTFVaKJap0JB2T+fCI3WAMPG8CJKakcOjG/
ZKheN3fNGUiaNk/Wyh/f6XnhWbchIK2OpcsSUAA5ju14bqs2epWl17c0MBPVY5sJ
wFIBrNVjqji3Zkf7aE9GSMx36d8swfhqwomvFvO5SGKspPm2eRpBPwi8lRORDxz3
cAoG4TU3/7xs2XAyTE27UQwdrUo7jkVUlCFoWf6DySHEy7CKTz3Vwu9ABtNdBtG9
oEnWxhIhBPcYOwCrGkiJGuRImFAfLifHWvLUNqGKpz/nEr+c
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEcMBoGA1UECxMTUHJvb2Ygb2Yg
Y29tcHJvbWlzZTEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqS0TSQbsGiJdAYfhuNrGzvXX4XvwToLBq+Hx
trxKq8zoWIRtimRuH66uRmVy0I/lR78u4FEewAjblaS+v1jTLNopik+taBiFHudn
/RGliOcKFohp4BYZuSZRRt3uLN5z8Jr5VbRMzZy6SNp3wX3f+Ie/XsAV04TXmbSv
+V8ZUjxzj1448DsCFL1NNDUcoic/MUcW+fsu9VuxhdETOwrf7CgJ91FgzwHHSMKL
Mq6DwY6xF90KQ5vInhYhRQ447zoSW1ABnmF+gPxDjXXb5pCh4aua8wOv3AmiZbbn
Nnkv9y1YXIeBJ1o1zbTt51v62Qu4LeRYVfWjhI1sn8k96DH8mQIDAQABoAAwDQYJ
KoZIhvcNAQELBQADggEBADgA4tGSyIpAA9uXooQivo9NH7lZH+M4bXpn+nOmNxn/
aRzmbg9NksRKrQoN0/CkWpiu6vwp31gAG2eIpnvNX9ltzPD2/yHAQCLUZmiGZnUP
fUdV1t7Z1EZ9Mj7YmlAN5NuQPAu7SL5fZ8UJSzzY1H7AuECU29j81dK2jLxRR1p6
PaajUGPAvraVTZND4JGQJpIazrF+mVDADdt1aOntr6lj+CC92E5oQxCWtU8uUX7Y
k5OJdewmNlVIk7wtcuVA2ju3jFlNtHP66DE/UDlcx5X5vE2qFq3aZFAqUAf0XXWW
bagqqjxfHSQaNVGlWBkJb0eCdD+DW8IK0nuw5GP2rzY=
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfZnCmYERBmZPEMdK5yvvC0QXjB1FQo
bu4IC9W1ThdFySkJL6t2MeoxbaTW8hwdATf8JHlRnrpevXStUsYDZShxpsQePZk8
LUW5OHQ6W/XDbGo4tC69Q3XTYvLeX+3q971mbiyFpBondTKZaKZYAR5omV7e/Olt
ZzN1yqyX551NsSwDGTrgBqCU2XQzYu9Tl9Nibjl4yCKCG9/JbgGa+gy8j1eKWxIt
lW7jmJID8s0N2v0ed1lvxr7A3oCiYef4TSi2RjLyZThGw1a7j3QqlBeGIqo89XtG
8GxA2nNSGx7gnIceMGGUd0q9iGQl1gc+FOI5oBbyjLcMCty2YInMQucCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBQyDCiBYXRMOryHhVVW52kY6wvsgWsPXLR0piQ
FJKP/drPdqgs/uxY6Nx163sNaiWPEI0tUWSmnuPe43qAyIqJXmnd/C6EqGy+ZI1Y
lf0XAfqVzJ+tc9639pSkGfeGxU75qdPwWqbwzEEdNZCDR/4QqzhGgMLyvH7icoc0
7ikxxwyUiKpP4h3nAV7Fg4EMKeEn/3m+vM0aGnZNx16WHpQF/VnyBM8NimADmO/u
vywC2TbLNBYYYG7dlLUk7fYfoFY5okel4z2fjmaNhuQQEpffJ366DC41A3fWDgp8
j1Ok8PfhiVySEwdSCNgpZbHnSwxodk4E3aZ22kCa2f7nOzDd
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALjEWXaHdMifi0LbL0GrnYV6uoltTicU
ywDOkSz/cReCI6gzxb1jpuQu1iVAkmiZUmPk4sPjc4e/OvAo0IyXgVEqBVcB4cmB
JTdWFj4fde8G9/NWoKIHIRVS4envx4jjRFEh6uDI9o4pDcpfvjh59s1RCjqU9EqX
DueUoKCk7eynjBxePNYZtZL5xBbBRIeqkjtBALtdnQdkbMTBAHJT4WvK2y9ExtWY
aJAoAf0ZYmQOeqzXZC4w1FKs7/GEa1qaPjyxe596LvZvOMZbB49gUYou6lhmG+ga
PaJIGm53/A4PgLnCisEjrVL46YB/k/EzTQtwq5jRg5usIL0/YCJlvCkCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQCgCziprbbD+aS22QHBMOnjy5r7iYiteKO1uB1o
zdaKpNBg32+tNyYsNazijAb0rcyFLGAeTfjbWQ5YDbK44qGmKxhO5nyeUkb9/ulI
scT94Trwu8j77DTxaFNTziETbw5KIBfiC7M5cD+vQ2UexJ8giv9s7ZchXY/hK8TA
IPY1jfEzioEgjap2bXhZ7GGHhjNg/3DIHCy2dD+eDeTsHhZQ+4ndfMeydg9fn6se
20A73X5rFGYKtp3z19stTDjXFDVyf/ngXtyti830ebQgmxRLJRAKV+MSHrdxW4Jj
qkuW6fmTj2s3x8iTKecd5Q/NOKt2XjOMldc6eKA4VSi3QNuc
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALlY3wwEZcO3U4HGuYE6atvaG3vOiOGq
y1W1Nwv4xVCiVkTECgbumYZyBjq1XxVKC1dNJ2nzxDSIhPNxnJZHA7v5SvSf60+Z
1W+QmvznlRfqptKNt9L26LCRAFppjfT5Z0F0fw300e7NawkWKxNyujDsltpFrkNP
72SvHWizvMpySx5aclAb/TD6iAY1NQh1PUVdeCJZMtZreD+v3UOKPsnztdRgYe/f
FbPRYQaxAaKYm0oYUZ0x0kurTjDdGQHtm/0H253KPDFHiC9bWCqljFTqUFT2v2TG
2m04pv+wMLFIt8FpQwzi7M7v0O1TD4hBLswUGSAmCxu6fOaMJFUAM1ECAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQCnl8UUGLPd76FgaBtwZo9cktY1reJtImP8/613
JWwvxCWy5r46LqD9BDPZh4yqO48FLeoaep0+CuCBKjGHQf/xZzpb4USnHcyAZKpR
Ey4SVlNpHczszoNZoUYdiL2kvWo0NvD7+oF+O9lE3rvxkNk4tRrfe8/xMq6rhhlC
NzrM6vdR4tIJlVtqQ7j60bMsRQJLZ8rz4Lb36R2JItbXeckWiGwXjv3Bi2r/MxaT
x7Pvj3oB+amqPg2Muk+HuKvL/s5o7mIBeayt/TRev6a9YeamxhcGxINEjH52uIII
NKQS007WuE//OAJcWYpCphJ3pPDu2gUbBd2X7vX+JiYO8nhO
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3v00AFGsfyCQWVL2K/EHPLS8hh5vqv
hC+WJm8E0m1uVmc08tEwPGfW5+nxHTw4Fav8hlhObfOt/KVx2Z1TsBxzPzM89amw
o7jzx9dpll8v80ueoSE7UUzhYZ5OirRc2q19d1aC9S4Ji3PyGtOiG+kxvabEe/Gf
YkrJGpOaTB02wa3M3mBGdd3oCCwHLfKB7ylou5W3m6t2GEQjCYUJnL9gUF9rgIo6
oGxVpEu0fGKTpfjqaM1yX71SWEemvCfbahq8F1L+xwONCl9PQF8JvOxD3L7Mtj3N
04cIQIMdIhqthJ88ciaxj5mEN6BONf2oIExw+qJv0pusP0S/DI+/TSECAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBE0TbWwA8nuVkuwgvOJMTFosp8/ufoAlKDSNlN
hEKf1sJSlPRmTLpq9Rv9fwpnCbFFE7UN6UuDAYGKOIuwaqad2iTj/t75IYC0jYCd
l5fLf7hWhnk9iRYufT57iM2Qdmh4zHZxNjuZb+qYAejXoehPmbQgpVVXBB4Vf4I7
iqY7vMF3AxhNxBmGaCvrWEChjw6DPoYWca+tcUUi/O1P5NPOCjbNrRa5c4AT18nD
WOhFafjmGq9OeuWKfXjZDeRe53fys0nVeXfpJ20QbGRyW43/6Oj9sVwgxaTu2OXV
9AqboNdzQ1vP63VVT+X2KoVES8YheQ+AhOi1grhi9m9J4Fer
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9NrWXf1zy+R6rkObfXJtS5F+VFtGA1
SmDakjg4pNqaBUAo9fQReRmjA1SeO6qJQLJLAFtSE7a9oTiSlPlTiq/SdYe6FNfg
uXRR34kAaCPdXMyBfRq7c5oooRXRHQL4ZCNrPU1Kpcf+XsLIKUX1WQGQBjnPHJhX
QwTdDDB93FXO/d+vyAmdIycrqDtUYRQPaGR0nCyHCsdioNhZPjH2QuANTFWtEtXY
O6KKO2AlZrNahflRQcO2YKvH0VDHK8FmibKPDkvoOAo/f/LDn15Uc5ecrLQXl0Lu
RJMnSGH0B1A13ls6RU5TsCcqVvbUseSSOQJPOxdbGFGTS7jWXSxEdD8CAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBVAGhyg1C+kcEWKc1aQEU+iOwtLYWrLJIxaywX
Z9GDMRd0Sy0E/UkciOLWvU/TZybJDZRyoXPmsTZsXMZ1fAzkB8ZPb5rGtin95jud
4YePcamJGf3N5AgHD2UmGobn3jbvoC2pGVivGTxTdqcCQJWWdSVXxzw6nH5KcQ/O
UuOiSmVVvJOD8+oxt4U3XVal6VtumtuhGQSl4wVpC+xAoz/o7UbToBp/WhS1Xlhn
DjJWuFIRdA8TgieTaYMaLdLNWQkYVY3EYMUPwkO2mPpqNuRGlFbALcRMKoqv7O+A
VBKcstS41uwsjU1v/5zgC2Po5w0ocbLaXRe34In+Jr3HCMPc
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALHvGriP3eFIhYXPP9LB2h17Rn9gaXh/
zG2gsiPjklF2JSTRoAAKQDyrmREsBP2qp8pkdbaSudPNfGZb1beBB9gw4fToiWYc
PnAhi0aH2WrEE0U2wGQcOTMpzLhP1y5xyckiBybkoJnuUWxxyyO5DQbMDGEOYRdG
pA9BHIg1oOKnTKFGgq1lvZrFqNYhZI4rhBSs1PofYr1tfSTlAEC1pWCKPWb4crB8
8z1MDwG7c/UEe8qMPGxnTKBtpYszDVaMzH7AV4PZm0M/PZqpZOUA3IoBysi/st59
ISUGhC3OTjz76/92Ki7a5EiGgxqO24A0+cPpC/u538OfZuJp269pXdECAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQAOIBi1VCs9voFdKDWfB2algBka2GHEL+uCTUl4
r5ooCJUafP69S0YFu9y1XQfIwSSioxHer8st1P1qGXc62LHtRRWk6GHKQ+/8pPiL
U9gXsGFovV2K5tMz5laTLrwWCpZ9OgCk3EemZiFSVjCvOnaOC2PKTK5VS018joTJ
xzbnHuzhS4yNwPtUz3VR6zULk2+tRHCYGROt6YuKwDJmSLO/qQTveBEh5QklQ3zs
26/1j9mHirOQZIo0kgBfere4lkCzeweiO8rPJXJNhhMjCRbDP0lKscXzQH/8OJLf
Y5W5uOfsoGp9Tnc36mcHIHhxfwLb+SDyB3FKsX6kFCp62vuQ
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNFOlVBa9P2Vvb4CCsgJyvUZxYaRlK4
SEPH7z4cvIIu68p4yi8aaMkFs4VaPg/2PtIGFHNQjnj4x2URg+7ocf3U5qko9W0W
ZMeM5QU9i7lHfZnGQ+SQ4q+AFwzjSbwO4wdTzPpzjJdUKmtOguILT8j/0uTn/Q/W
PylzfmdgzPU0BUUTBuz9uGzHY3480ctKib81ZvALSwSX++Qeh+QCrueJZgS3hSYf
dgZCXUN85+tN+xCLXNg/YwsHa6eJoBfBaUW7aokjtRhl0A+SLsyfc7agbnvhJzHO
NywHa4SD9pRwhbdaO5/zKcgCDUlrJQnDWojc8qiAcEvmyrhAJhzdxjMCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBtN41DLhpzP82LZOXE0Dk1gNzUWHAAt85GQoOU
lcN3jrycJFarFmliz4R46uQzvqfhPpaBb5z9VyJP0UzQVoHhy37fkOLarnVkHx/n
JPBMZ4cCoDHQLsVYs7bt+hjzGbaWPY5G/NkYiGaOL6azVCMj3wyS1lIbrywHGPqO
JLjBMNUUyiXpVqmkBgPv1j7dwgdew9uxwvGO7OMuZuF5vv2gCRZoz7sBiyd6TL6e
JvvnK3Rd5/PlYy2dLHpMdRNtg2YZzQXhyJkTxdSrnbgoc0SVaMebuI9HIOmKkF0A
1ftX4BfaPeO4nuQRq7jZ9sfMZUVp8nOAOdb13U4p43s0Cvqy
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
MIICwDCCAagCAQAwezELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxEDAOBgNV
BAcTB05ld2J1cnkxDzANBgNVBAoTBkplcmVteTEgMB4GA1UECxMXUHJvb2Ygb2Yg
a2V5IGNvbXByb21pc2UxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR5uqfSJeKarT1ZgGT+/2pwYWnmllEU
Yy5Tc33IoIV4FL9nr45rtBnyY0pXHUc1zqjQZspoAynFJBOY3NB2zBf6CQb3/2R7
mry8PxFlJDXc9M2iQLHpbSQq+P8ZOZ8mXdFRThtW5Xl9orLyGnFBXak49MF4HuyR
ff492p+otlFrpzXIAIV4dRnkKxeKDCvPIHLeUHG3slgY/Gs6vdj88Akp09EY7pHn
AGiEAuJPTzINJ4yLXJJLRH18VXIlg/35KeUE/x2vPCwEDXmVYOEhZnm3ZpF6L3dg
7wlmNWIJMCyBbO9E0rFp2JfSZir3YD2aouOiX+JF83AIXdRJwoNei4sCAwEAAaAA
MA0GCSqGSIb3DQEBCwUAA4IBAQBl2D2FccAcixqfbOTCeE01bh6jXInxWp3gX0tt
LgrB9DuWxNp+KStg2rptM060cjJZxwZ5x6Fzqpt8/jCJkjSPLJSOKeXuPAxKGENO
l+32xhc1tosW/pjD5wF0VllZ6h4C7gzwiHWvXSAHvOVEI/0flChzCc+Afm1CXUdf
vAJakNPu5TgiR1VM6w1cQbzgMumZ0eFv2UOZDn51WJ3E0hGzBxQWrF2LUBuBMNLu
bx8uVGudoiJiAZg8e7Wq+oe15vhsSKvAFMpbnleyjKUw8eZ7zU9OH6VtmTPsmrDP
/YFWxeNbJeJTJ8BTuBwXIVZ2seYp5Bjz5+ZDC6K1uQsNdlvm
-----END CERTIFICATE REQUEST-----
 
From: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >
Sent: Wednesday, February 28, 2018 2:01 PM
To: Geoff Keating <geoffk at apple.com <mailto:geoffk at apple.com> >
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >; Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> >
Subject: Re: [cabfpub] How do you handle mass revocation requests?
  

  

  

On Wed, Feb 28, 2018 at 3:46 PM, Geoff Keating <geoffk at apple.com <mailto:geoffk at apple.com> > wrote: 



> On 28 Feb 2018, at 11:08 am, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:
>
>
>
> On Wed, Feb 28, 2018 at 1:59 PM, Geoff Keating via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:
>> This raises a question about the MDSP policy and CAB Forum requirements. Who is the subscriber in the reseller relation?  We believe this to be the key holder. However, the language is unclear.
>
> ‘Subscriber’ is a defined term in the BRs:
> Subscriber: A natural person or Legal Entity to whom a Certificate is issued and who is legally bound by a Subscriber Agreement or Terms of Use.
>
> That’s pretty clear and can’t be stretched to cover a reseller—a reseller won’t be able to comply with a Subscriber Agreement.
>
> At the risk of stretching things, I want to point out that taking this interpretation requires determining whether or not the Reseller is acting as an Applicant Representative during the process.
>
> In this case, is the Reseller legally binding the "user" (for lack of better word) to a Subscriber Agreement? If so, how does the CA determine that the Reseller is an authorized Applicant Representative, and thus entitled to legally bind the "user" to the Subscriber Agreement?

There are several ways this could be done.  However there is no question about the result, because that’s covered by 4.1.2:
Prior to the issuance of a Certificate, the CA SHALL obtain the following documentation from the Applicant:

        • A certificate request, which may be electronic; and

        • An executed Subscriber Agreement or Terms of Use, which may be electronic

So after a CA issues the certificate, it’s easy to find out who the Subscriber was (for some definition of ‘who’): you get the CA’s copy of the Subscriber Agreement and look for the bit where it says “This is an agreement between ______ and <the CA>.” and see what was written in the blank.  (and yes, it does have to be between the Subscriber and the CA, not between the Subscriber and anyone else, see the definition of ’Subscriber Agreement’.)

 

Right, we're in violent agreement here :)

 


In addition under 9.6.1 item 6, the CA ‘represents and warrants’ that “the Subscriber and CA are parties to a legally valid and enforceable Subscriber Agreement that satisfies these Requirements…” and under 9.6.3, "The CA SHALL implement a process to ensure that each Subscriber Agreement or Terms of Use is legally enforceable against the Applicant."

 

Here's where I'm saying I've seen fuzziness, with respect to the Reseller being nominated as an Applicant Representative (effectively), thus binding the Agreement between the user (who is now the Subscriber) and <the CA>. We've left under-specified how the Applicant Representative is authorized (under than 'express authority') - other than the 3.2.5 case.

 

To be clear: I don't think this is a defensible position, but I'm saying that based on how some of the issuance practices (or, more aptly, based on complaints we've heard re: various API integrations, including those of former CAs no longer members), this does seem an interpretation that some have advanced. The CA has defined a process (the Applicant Representative agreed), but it's not a very ... good... process. The CA would be at fault, but this is where the messiness is.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180301/842a6250/attachment-0001.html>


More information about the Public mailing list